Temporary password in PHP

Many websites generate temporary password or some generate the Activiation code for verification of email. They send the mail with that code in it and so If you wonder how they do this here is a function to do this.

/** * Just a little page footer, tells how many registered members * there are, how many users currently logged in and viewing site, * and how many guests viewing site. Active users are displayed, * with link to their user information. */echo "</td></tr><tr><td align=\"center\"><br><br>";echo "<b>Member Total:</b> ".$database->getNumMembers()."<br>";echo "There are $database->num_active_users registered members and ";echo "$database->num_active_guests guests viewing the site.<br><br>";

include("include/view_active.php");

?>

</td></tr></table>

</body></html>

register.php

PHP Code:

<?include("include/session.php");?>

<html><title>EMPLOYEEE REGISTRATION</title><body>

<?/** * The user is already logged in, not allowed to register. */if($session->logged_in){ echo "<h1>Registered</h1>"; echo "<p>We're sorry <b>$session->username</b>, but you've already registered. " ."<a href=\"main.php\">Main</a>.</p>";}/** * The user has submitted the registration form and the * results have been processed. */else if(isset($_SESSION['regsuccess'])){ /* Registration was successful */ if($_SESSION['regsuccess']){ echo "<h1>Registered!</h1>"; echo "<p>Thank you <b>".$_SESSION['reguname']."</b>, your information has been added to the database, " ."you may now <a href=\"main.php\">log in</a>.</p>"; } /* Registration failed */ else{ echo "<h1>Registration Failed</h1>"; echo "<p>We're sorry, but an error has occurred and your registration for the username <b>".$_SESSION['reguname']."</b>, " ."could not be completed.<br>Please try again at a later time.</p>"; } unset($_SESSION['regsuccess']); unset($_SESSION['reguname']);}/** * The user has not filled out the registration form yet. * Below is the page with the sign-up form, the names * of the input fields are important and should not * be changed. */else{?>

<?/** * If user is not logged in, then do not display anything. * If user is logged in, then display the form to edit * account information, with the current email address * already in the field. */if($session->logged_in){?>

/** * Note: when you add your own fields to the users table * to hold more information, like homepage, location, etc. * they can be easily accessed by the user info array. * * $session->user_info['location']; (for logged in users) * * ..and for this page, * * $req_user_info['location']; (for any user) */

/** * procLogout - Simply attempts to log the user out of the system * given that there is no logout form to process. */ function procLogout(){ global $session; $retval = $session->logout(); header("Location: main.php"); }

>he would go to a specific page that has the temporary password.
>The user can only use it once.
>
>This temporary password would allow the client to download 1 or 2 demos.
>
>Once the client has download or even used his temp password it is not
>accesible again.
>
>The client also wants to be able to have stats on which of his users/clients has used the
>temporary password.

This sounds like a perfect situation for .htpasswd. You could create a random password (using for favorite backend), and then add a password entry to the file. Once the download has been performed (or, the user clicks a logout button) -- you can then perform the housekeeping functions (logging, deleting of password, etc.). You could then either with the logout page, create a new random password, or using a cron job create one.

Another approach would be to use a database. A table that has the directory name, associated password, expire/used date/flag, and a client ID. Then using say ASP or PHP or CFML, you could query the database (using the date/flag), and grab the password that is requried for the requested page. Then you could by sending authentication headers, have the browser popup the username/password dialog box. Once the session is over (ie, the download has been completed), you could set the flag to expired/used. Then, to create your reports, you would just query by clientID where expired is true -- and the database would spit back all the directories that have been accessed for a certain client.

The generating of random password always seems to start a holy war as to the best method. I would suggest creating an array of common short words (cat,dog,pet,home,etc.). Then, a random password could be generated by any of the following methods :

(*) Randomly access the array for two or more words, randomly changing the case (which would result in something like cAthOme)
(*) Pad a random number to the front and tail ends of a random word from the array (which would result in something like 3334cathome45)
(*) Reverse the words + number combination (54emoh43), etc.

>
>Is it feasible/doable?
>If so how would I go about doing it?

If you are comfortable with PHP, there is an excellent tutorial[1] that shows you how to perform authenticaion using PHP by various methods (including database, .htpasswd, flat file, and hard coding). It would be very easy to adapt it to this situation.